The code that handles needClientAuth and wantClientAuth is flawed. First some education. An SSLServerSocket can have only one of three states with regards to requesting client authentication: 1. don't request it (the default), 2. request it (set via setWantClientAuth) but if not supplied then that's okay, or 3. require it (set via setNeedClientAuth). So if you were to call both methods, then only the latter takes effect. Jetty is calling both (first the "need", then "want" method). The result is that it is impossible to need client authentication. I think Jetty should do the following:
Store the needClientAuth and wantClientAuth values internally as Boolean objects (so that they can be null).
In newServerSocket, check to see if both are non-null and if so throw some sort of configuration error.
Only call either of the set methods if their respective field is non-null.
I'd rather Jetty do this, which is essentially just facilitating configuration of the SSL APIs, rather than logical reasoning of need vs want, trying to figure out what is intended. Now it does neither, it is broken.